follow RFC-6120 section 6.4.4: send <abord> and a SASL authentication mechanism fails, wait for server <failure> reply before trying a new mechanism

2011-08-22 13:45:29 +02:00 · 2011-08-22 13:45:29 +02:00 · 920f5e320b
commit 920f5e320b
parent fc765088f7
1 changed files with 10 additions and 4 deletions
--- a/src/common/xmpp/auth_nb.py
+++ b/src/common/xmpp/auth_nb.py
@ -49,6 +49,7 @@ except ImportError:

 GSS_STATE_STEP = 0
 GSS_STATE_WRAP = 1
+SASL_FAILURE_IN_PROGRESS = 'failure-in-process'
 SASL_FAILURE = 'failure'
 SASL_SUCCESS = 'success'
 SASL_UNSUPPORTED = 'not-supported'
@ -285,15 +286,20 @@ class SASL(PlugIn):
        ### Handle Auth result
        def on_auth_fail(reason):
            log.info('Failed SASL authentification: %s' % reason)
+            self._owner.send(str(Node('abort', attrs={'xmlns': NS_SASL})))
            if len(self.mecs) > 0:
-                # There are other mechanisms to test
-                self.MechanismHandler()
+                # There are other mechanisms to test, but wait for <failure>
+                # answer from server
+                self.startsasl = SASL_FAILURE_IN_PROGRESS
                raise NodeProcessed
            if self.on_sasl:
                self.on_sasl()
            raise NodeProcessed

        if challenge.getName() == 'failure':
+            if self.startsasl == SASL_FAILURE_IN_PROGRESS:
+                self.MechanismHandler()
+                raise NodeProcessed
            self.startsasl = SASL_FAILURE
            try:
                reason = challenge.getChildren()[0]